NYT, WSJ Hacks Scrutinized By Security Community

China is again being blamed, but security experts criticize the lack of evidence, call on the media outlets to release full details of the attacks.

Chinese hackers breached the network of the The Wall Street Journal as part of what's been dubbed a broader "cyberspying" campaign against U.S. media.

The Journal discovered the breach after being notified by the FBI that it had seen data that appeared to have been stolen from the Journal's Beijing bureau. After the Journal hired a firm to conduct a digital forensic investigation, it found that the newspaper's systems had been breached -- first in Beijing, and then globally.

The Journal's self-published account of the attacks failed to specify the length of time that attackers might have had access to the paper's network. Instead, the story made general allusions to an FBI investigation into media hacking incidents, which began more than a year ago, and is being treated as a national security matter. Likewise, the newspaper's account made general reference to the fact that many security experts believe that "a foreign entity" has been attempting to compromise U.S. companies' security.

The Journal also noted that investigators hadn't been able to identify all of the Journal information that attackers may have accessed. After discovering the breach and watching what information attackers accessed, however, the investigators hired by the Journal said the targets appeared to be a handful of journalists in its Beijing bureau, including the bureau chief.

"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," said Paula Keve, a spokeswoman for Journal publisher Dow Jones, which is part of News Corp., in a written statement Thursday.

The Journal's Thursday story that it had been the victim of a sustained hacking effort, seemingly aimed at amassing intelligence about the stories that the paper was writing -- and likely the identity of reporters' Chinese sources, mirrors a Wednesday story published by the The New York Times, which said it, too, had been the victim of a sustained hacking campaign that sought information, rather than business secrets.

Is the Chinese government behind the attacks? Multiple China watchers have hypothesized that the attacks may have been an effort by Chinese officials to try and manage the country's global image.

But Chinese government officials have denied having any part in the hacking. "It is irresponsible to make such an allegation without solid proof and evidence," Chinese Embassy spokesman Geng Shuang said, according to the Journal. "The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws."

But chief research officer at F-Secure Mikko Hypponen thinks China was likely involved. "I believe the attack against New York Times did genuinely come from China as a reaction to their reporting," he told TechWeekEurope. "It might be impossible to prove that, though."

The Times and Journal reporting has provoked skepticism -- and not just about the supposed Chinese tie -- from multiple security experts, with Robert David Graham, CEO of Errata Security, criticizing the Times' account of how the Times was hacked, saying it "contains no content" about the actual hacking. "It may be true that the NYTimes was targeted by the Chinese government, but the story cites no credible evidence supporting that conclusion," he said in a blog post. "What the story does cite is the conclusion from 'security expert.' But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise or the evidence that leads them to make that conclusion."

Noting that the story also contained a number of inaccuracies on the information security front, he called on the Times to come clean and publish everything it knows. "Dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs and so on. Then, instead of having to take the 'expert's' word, we can look at the raw data ourselves," he said.

One fact that's not been disputed was the apparent malware-blocking success rate -- just 2% -- experienced by the Times against its advanced persistent threat (APT) attackers. That squares with a study recently published by security firm Imperva and the Technion Israeli Institute of Technology, which found that most antivirus software detects about 5% of new malware, though it can take approximately four weeks before in-the-wild malware gets spotted. "Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero," according to the study. "We believe that the majority of antivirus products on the market can't keep up with the rate of virus propagation on the Internet."

The Times hasn't come clean about what security strategies it previously had in place, although a statement released by its antivirus vendor, Symantec, suggested that the Times relied on little more than signature-based antivirus products. On a related note, the Times' account of the hacking published Wednesday said that the paper had recently overhauled its security infrastructure. Meanwhile, the Journal's hacking story said that paper had finished a network security overhaul Thursday.

Based on the breaches, "here's the message for security: rebalance the security portfolio," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "Use free antivirus and spend some money modernizing your security strategy."

A breach at a media outlet is a "national security matter" - since when? Does the WSJ have access to state secrets or is this simply an over-dramatization (which one certainly wouldn't expect from the WSJ)?

If China is behind this and possibly looking to prosecute sources, are there any American lives in danger? Why hasn't the State Department and CIA been engaged?

One has to wonder about the push behind the sensationalism... smokescreen for something else? Conspiracy theories anyone?

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.